sshguard-users

Re: [Sshguard-users] Is sshguard working?

[Kevin Z. <kev...@gm...>]

On 08/24/2015 20:12, li...@la... wrote:
> I put the rule at 550. However, I'm not sure it is blocking properly,
> or this particular attack is something sshguard does not block.

To check the addresses that are blocked, display table #22:

# ipfw table 22 list

Keep in mind that SSHGuard unblocks blocked attackers after 7 minutes
the first time the attacker is blocked.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] Is sshguard working?

[<li...@la...>]

I've studied enough auth.log now to believe the program is working. 

I'm going back into lurking mode. Thanks all for your help.‎

  Original Message  
From: Kevin Zheng
Sent: Monday, August 24, 2015 11:15 PM
To: ssh...@li...
Reply To: ssh...@li...
Subject: Re: [Sshguard-users] Is sshguard working?

On 08/24/2015 20:12, li...@la... wrote:
> I put the rule at 550. However, I'm not sure it is blocking properly,
> or this particular attack is something sshguard does not block.

To check the addresses that are blocked, display table #22:

# ipfw table 22 list

Keep in mind that SSHGuard unblocks blocked attackers after 7 minutes
the first time the attacker is blocked.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

------------------------------------------------------------------------------
_______________________________________________
Sshguard-users mailing list
Ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Is sshguard working?

[<do...@sa...>]

I am running FreeBSD of various versions 7-10. All show this problem.

My question goes back to the original question except that I am apparently the 
only one on the list using inetd. My initial reasons for this being I am several 
hours away from my servers and this seemed more prudent as testing mistakes are 
slightly less fatal than with ipfw. And much more easily circumvented.

Anyway, the inet version exhibits the same characteristic as originally 
described. That is I see 50-100 entries logged within a minute before sshguard 
gets a block inserted. Restarting inetd is not required to pickup changes in the 
file. I was assuming this to be a scheduling issue. In my case all the instances 
of this are with PAM errors.

One way to do this would be to launch all 100 (or so) attempts. The time stamps 
suggests they are arriving about 1/sec but this could be PAM queuing the 
requests.

_____
Douglas Denault
http://www.safeport.com
do...@sa...
Voice: 301-217-9220
   Fax: 301-217-9277

Re: [Sshguard-users] Is sshguard working?

[Kevin Z. <kev...@gm...>]

On 08/31/2015 10:39, do...@sa... wrote:
> My question goes back to the original question except that I am apparently the 
> only one on the list using inetd. My initial reasons for this being I am several 
> hours away from my servers and this seemed more prudent as testing mistakes are 
> slightly less fatal than with ipfw. And much more easily circumvented.

I don't think it should matter whether you're running from 'inetd' or
not, since all of the logs go through syslog. That's running, right?

> Anyway, the inet version exhibits the same characteristic as originally 
> described. That is I see 50-100 entries logged within a minute before sshguard 
> gets a block inserted. Restarting inetd is not required to pickup changes in the 
> file. I was assuming this to be a scheduling issue. In my case all the instances 
> of this are with PAM errors.

Can you give me a few examples of the log entries you want blocked? I
want to make sure that SSHGuard is actually picking them up as attacks.

> One way to do this would be to launch all 100 (or so) attempts. The time stamps 
> suggests they are arriving about 1/sec but this could be PAM queuing the 
> requests.

I'm not sure; I don't know much about PAM.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] Is sshguard working?

[Willem J. W. <wj...@di...>]

On 1-9-2015 02:03, Kevin Zheng wrote:
> On 08/31/2015 10:39, do...@sa... wrote:
>> My question goes back to the original question except that I am apparently the 
>> only one on the list using inetd. My initial reasons for this being I am several 
>> hours away from my servers and this seemed more prudent as testing mistakes are 
>> slightly less fatal than with ipfw. And much more easily circumvented.
> 
> I don't think it should matter whether you're running from 'inetd' or
> not, since all of the logs go through syslog. That's running, right?
> 
>> Anyway, the inet version exhibits the same characteristic as originally 
>> described. That is I see 50-100 entries logged within a minute before sshguard 
>> gets a block inserted. Restarting inetd is not required to pickup changes in the 
>> file. I was assuming this to be a scheduling issue. In my case all the instances 
>> of this are with PAM errors.
> 
> Can you give me a few examples of the log entries you want blocked? I
> want to make sure that SSHGuard is actually picking them up as attacks.
> 
>> One way to do this would be to launch all 100 (or so) attempts. The time stamps 
>> suggests they are arriving about 1/sec but this could be PAM queuing the 
>> requests.
> 
> I'm not sure; I don't know much about PAM.

And make sure that syslogd is not summarizing the reporting.
look at the -c option of syslogd:
 -c      Disable the compression of repeated instances of the same line
        into a single line of the form ``last message repeated N times''
        when the output is a pipe to another program.  If specified
        twice, disable this compression in all cases.

--WjW